The increasing use of transaction verification throughout the world is most visibly exhibited in the credit card or other card payment systems being used commonly in grocery stores, universities and more increasingly, internet websites. A prevalent problem with remote payment card systems has been remote transaction verification. The primary method of transaction verification security involves a user's signature which is often signed onto a sales receipt. Apart from being relatively easy to forge, such a signature system does not adapt itself to modern remote electronic media, such as the internet.
An early verification method involves a basic Luhn algorithm to generate each unique card number in a non sequential manner which is then verified by testing against the algorithm. It is not intended to be cryptographically secure, as it protects against accidental error, not malicious attack. This basic method of verification became increasingly invalid with the advent of the internet, as fraud increased and details of the algorithm became widespread.
Today, half of all credit card fraud is conducted online. In response to this widespread fraud, credit card companies have implemented a static CVV (Card Verification Value) number printed on the back or front of cards at time of issue. The CVV, usually a three or four digit number, is required to be entered at the time of transaction, particularly with online payment. A disadvantage of the CVV number system is that many modern credit card fraud systems use card details including a static CVV number gained from hacking online shopping payment databases, phishing techniques or screen and keylogging programs installed on a victim's computer system. Obviously, a major drawback to the CVV number system is the static nature of the printed numbers, which mean once the card details are compromised the victim can easily be defrauded repeatedly. Furthermore, the simple static nature of the CVV number system method offers little proof that the remote user actually has the physical card in their possession as this simple three or four digit number easily can be shared alongside other card details. In response to this weak security method some banks have begun issuing members with a one-time password generating electronic device or hardware tokens. These devices have a small screen and button which, when pressed, generates a one time dynamically changing password using encrypted secret key programming, changing the password code every minute or so. Disadvantages of this system include the enormous expense of buying and issuing these electronic devices which must be secured from the factory of manufacture, battery maintenance, electronic fragility, inability to carry inside conventional wallets, separation from required membership card, and internal clock synchronization necessary with remote server.
Smart Card technology has also been proposed as a secure verification method. This method has not become widely used, however, due to issues of remote infrastructure cost and availability, electronic cloning, cost of cards with integrated circuits and fragility of those circuits when in day to day use.
Proximity cards used as a payment system in some transportation services have also been proposed. Apart from suffering from the same problems as smart card systems they also have the added security issue of a potential unauthorized third party cloning or charging the card at a distance.
There is therefore a need for a secure, dynamically manipulatable password transaction verification system, but without the associated remote infrastructure costs and electronic security vulnerabilities of the prior art.